Malware Can Trick Windows Defender into Scanning Clean Files – New Research

Windows Defender is one of Microsoft’s most favorite features in Windows 10 that got the company the ire of antivirus firms. While Microsoft has started to play fair with the AV firms after a few troubles in Europe and Russia, the program is an important feature that is used by millions of Windows users as it’s the default choice for security on the operating system. Researchers now claim that malicious programs can bypass Windows Defender detection by tricking it into scanning a different file or absolutely nothing in its place.

Illusion Gap helps malware to bypass Windows Defender scanning

This new technique that has been dubbed as the Illusion Gap allows malware to bypass the antivirus application by exploiting the scanning process. Relying on both social engineering and rogue SMB server, the technique exploits Microsoft’s design choice in how Windows Defender (and possibly other AV products) scans files stored on an SMB share before execution.

Security researchers at CyberArk explained that AV apps catch the operation of an executable file by a kernel callback and then scan the file, usually by requesting its user mode agent to do so. The files already on disk aren’t scanned since it will assume the file has been scanned already. “However, running an executable from a SMB share requires the Antivirus to scan the file even on process creation,” the researchers added.

To escape scanning, the attacker has to convince a user to execute a file that has been hosted on a malicious SMB server, which according to researchers isn’t difficult as simple shortcut file will do. Once the user clicks on this file, Windows will request the SMB server for a copy of the file to execute the file, while Windows Defender will request a copy to scan it.

Researchers said that since SMB server can distinguish between these two requests, attackers can respond with two different files, sending malicious file to be loaded and benign file to Windows Defender for scanning purposes. Once Windows Defender gives an okay to the clean file, Windows PE Loader will execute the malicious file.

To identify which request is coming from what process, attacker will need to implement the SMB protocol to create a “pseudo-server” in order to differentiate between the two requests.

Microsoft says it’s not a security issue

According to CyberArk, the Redmond software giant doesn’t consider this as a security issue. Here’s what the company wrote to researchers:

“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.”

CyberArk believes that other AV products might also be affected. “If you are able to identify which requests are coming from native antivirus and which are coming from native operations from Windows, you can do same trick for other antivirus,” researchers wrote.

We have reached out to Microsoft for a comment on this report and will update this space accordingly.